Supply-chain attack hits RubyGems repository with 725 malicious packages:
More than 725 malicious packages downloaded thousands of times were recently found populating RubyGems, the official channel for distributing programs and code libraries for the Ruby programming language.
The malicious packages were downloaded almost 100,000 times, although a significant percentage of those are likely the result of scripts that automatically crawl all 158,000 packages available in the repository, Tomislav Pericin, the cofounder and chief software architect of security firm ReversingLabs, told Ars. All of them originated from just two user accounts: "JimCarrey" and "PeterGibbons."
The accounts, which ReversingLabs suspects may be the work of a single individual, used a variation of typosquatting—the technique of giving a malicious file or domain a name that's similar to a commonly recognizable name—to give the impression they were legitimate. For instance, "atlas-client," a booby-trapped package with 2,100 downloads, was a stand-in for the authentic "atlas_client" package. More than 700 of the packages were uploaded from February 16 to 25.
Once installed, the packages executed a script that attempted to intercept Bitcoin payments made on Windows devices.
Related Stories
Developer and entrepeneur Bert Hubert has written about how software supply chain safety is similar to food supply safety. Both are about recognizing hazards and finding critical control points to monitor. Strict rules about handling must also be followed, in both fields.
You can’t just buy the required stuff and declare the food is now safe. It requires constant vigilance.
The analogies to cybersecurity are overwhelming. Food safety is the proper analogy for cybersecurity.
Compare:
- The enemy is invisible (germs)
- You can get infected via your supply chain, which is also your responsibility
- A single employee not paying attention can sink you
- Out of sight, bugs can fester for years before causing harm
- Without the right infrastructure, you are doomed
- But even if you buy the right stuff, there are no silver bullet solutions - only paths to improvement
So I looked into this a bit more, as related fields can often provide very good inspiration. And I was blown away by what I found.
Food safety has been around for a while now and they are light years ahead of us. A mainstay of providing safe food is HACCP[*].
[*] HACCP: Hazard analysis and critical control points.
The key in both areas is recognition that safety is an ongoing process and not a product or appliance which can be tacked on aftermarket.
Previously:
(2020) Supply-Chain Attack Hits RubyGems Repository with 725 Malicious Packages
(2020) A Better Kind of Cybersecurity Strategy
(Score: 0) by Anonymous Coward on Sunday April 19 2020, @01:12PM
All RubyGems are malicious packages, by design.
(Score: 0) by Anonymous Coward on Sunday April 19 2020, @04:36PM (3 children)
Here's the PeterGibbons I know about, successful race car engineer:
https://www.multimatic.com/showcase/multimatic-bolsters-vehicle-dynamics-know-how-with-addition-of-renowned-race-engineer-peter-gibbons/ [multimatic.com]
(Score: 0) by Anonymous Coward on Sunday April 19 2020, @06:08PM
Thanks for letting us know.
(Score: 0) by Anonymous Coward on Monday April 20 2020, @12:36AM (1 child)
I heard he made a monkey of himself.
(Score: 2) by The Vocal Minority on Monday April 20 2020, @05:08AM
Need a "groan" mod.
(Score: 2) by rigrig on Sunday April 19 2020, @08:38PM
It makes me sad that after the first dozen or so times this happened, popular repositories still haven't implemented some broader name checks than "exact match".
No one remembers the singer.
(Score: 3, Insightful) by darkfeline on Sunday April 19 2020, @09:18PM (2 children)
Russ Cox discussed external dependencies in the modern age, and particularly how we're prone to adding them irresponsibly.
https://research.swtch.com/deps [swtch.com]
I think developers need to be practicing a bit more NIH syndrome, although that does depend on them being competent enough to implement such functionality correctly.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Sunday April 19 2020, @09:32PM
》 competent enough to implement such functionality correctly
Do you know how hard it is to write your own bitcoin payment interception code?
(Score: 2) by krishnoid on Monday April 20 2020, @04:56AM
Couldn't you s/package/interpreter/g in that text and have the same argument? Seems like some kind of basic security auditing at the repository level would be a start, like Apple and Google do for apps.